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CN ■ Abstract 

' The basic properties of RSA cryptosystems and some classical attacks on them are 

I— ^ \ described. Derived from geometric properties of the Euler functions, the Euler function 

' rays, a new ansatz to attack RSA cryptosystems is presented. A resulting, albeit inefficient, 

\ algorithm is given. It essentially consists of a loop with starting value determined by the 
Euler function ray and with step width given by a function (£)e{n) being a multiple of the 

^ \ order ord„(e), where e denotes the public key exponent and n the RSA modulus. For 

■ n = pq and an estimate r < ^Jpq for the smaller prime factor p, the running time is given 

\ by r(e,n,r) = (9((r — p)lneln«lnr). 
C/3 ! 
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1 Introduction 

Since the revolutionary idea of asymmetric cryptosystems was born in the 1970's, due to Diffie 
and Hellman [4] and Rivest, Shamir and Adleman [9], public key technology became an in- 
dispensable part of contemporary electronically based communication. Its applications range 

*This paper is a slight modification of [10] 
^e-Mail: de-vries@fh-swf.de 
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from authentication to digital signatures and are widely considered to be an essential of future 
applications for e-commerce. 

The most popular cryptosystem is RSA. There has been numerous, more or less unsuc- 
cessful, attacks on RSA. The strongness of RSA bases on the difficulty to factorize integers 
as well as to compute the discrete logarithm. For more details, see e.g. [1, 2, 3, 6]; cf. also 

http : / / www . math- it .org 

2 RSA cryptosystem 

The RSA cryptosystem, named after its inventors Ron Rivest, Adi Shamir, and Len Adleman 
(1978), was the first public key cryptosystem and is still the most important one. It is based 
on the dramatic difference between the ease of finding large prime numbers and computing 
modular powers on the one hand, and the difficulty of factorizing a product of large prime 
numbers as well as inverting the modular exponentiation. 

Generally, in a public key system, each participant has both a public key and a private key, 
which is held secret. Each key is a piece of information. In the RSA cryptosystem, each key 
consists of a group of integers. The participants are, traditionally called Alice and Bob, and we 
denote their public and secret keys as Pa, Sa for Alice and Pg, Sb for Bob. All participants create 
their own pair of public and private keys. Each keeps his private key secret, but can reveal his 
public key to anyone or can even publish it. It is very convenient that everyone's public key is 
available in a public directory, so that any participant can easily obtain the public key of any 
other participant, just like we nowadays can get anyones phone number from a public phone 
book. 

In the RSA cryptosystem, each participant creates his public and private keys with the fol- 
lowing procedure. 

1 . Select at random two large prime numbers p and q, p ^ q. (The primes might be more 
than 200 digits each, i.e. more than 660 bits.) 

2. Compute n = pq and the Carmichael function A («) = 1cm {p — l,q — I). 

3. Select an integer d relatively prime to A (n). (d should be of the magnitude of n, i.e., d S 
X{n).) 

4. Compute e as the multiplicative inverse of d modulo X{n), such that ed = I mod X{n). 
This is done efficiently by the extended Euclidean algorithm. 

5. Publish the pair P = {e,n) as the public key. 

6. Keep secret the pair S = {d,n) as the private or secret key. 

For this procedure, the domain of the messages is Z„. For each participant of a cryptosystem, 
the four-tuple {e,d,p,q) G is called (individual) RSA key system. The key parameter e is 
also called the encryption exponent, d the decryption exponent, and n the RSA modulus. 

The encryption of a message m G Z„ associated with a public key P = {e,n) is performed 
by the function £ : Z„ — > Z„, 

E{m) =m'' moAn. (1) 
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The decryption of a ciphertext c G Z„ associated with the private key S = {d,n) is done by the 
mapping D : Z„ ^ Z„, 



D{c) = c mod n. 



(2) 



The procedure where Alice sends an encrypted message to Bob is schematically shown in 
Figure 1. A qualitatively new possibility offered by public key systems (and being unimple- 
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Figure 1 : Alice sends an encrypted message m to Bob, using his public RSA key Pg. 



mentable with symmetric key systems) is the procedure of digital signature. How an RSA 
cryptosystem enables Alice to digitally sign a message and how Bob can verify that it is signed 
by Alice is sketched in Figure 2. As a matter of course, this verification in fact is possible only 
if the authenticity of Alice's public key Pa is guaranteed such that Bob can assume that it is her 
key (and not a third person's one) which he uses. This guarantee is the job of so-called trust 
centers. 
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Figure 2: Alice sends a digitally signed message to Bob; Bob uses Alice's public key to decrypt the 
message and to verify this way that Alice has signed it with her private key. 



The correctness of RSA, i.e., the fact that E and D define inverse functions on Z„ {DoE = 
EoD = idz„ ) relies on the simple fact that 

m"'^^ = m mod n for m £ Z„, (3) 

which is immediately proved by the corollary of Carmichael A.7, p. 18. For details see, e.g., 
[1,2, 3]. 
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Remark 2.1 Often one finds the definition of RSA cryptosy stems based on the Euler function 
(p rather than on the Carmichael function A, cf. [3]. However, since (p{pq) = {p — l)!*?— 1), 
both function values (p{pq) and A(p^) share the same divisors. Therefore, a possible key 
parameter d relatively prime to A(p^) is also relatively prime to (p{pq), and vice versa. Only 
the resulting counter key e may differ. To be more precise, any possible RSA key pair of 
a system based on the Euler function is a possible key pair with respect to the Carmichael 
function, whereas the reverse is not generally true. (Proof: Since X{n)\(p{n), the equality 
ed = I mod (p{n) implies ed = I mod Using the Euler function <p, the coiTcctness of 

RSA is shown with the Euler theorem A.2 on p. 16, instead of the corollary of Carmichael. 



2.1 Properties of an RSA key system 

Theorem 2.2 Let p, q be two primes, p,q> \, p ^ q. Then the number Vpq of all possible 
key pairs {P,S) = {{e,pq), {d,pq)) is given by 

Vp,j = (p{X{pq)). (4) 

The (trivial) keys with e = d = I and with e = d = X{pq) — 1 are always possible, and 

2<v„< '7'"r",, (5) 

Proof. Since ed = \ mod X{pq), without restriction to generality we have < e,d < X{pq). 
Moreover, gcA{d,X{pq)) = gcA{e,X{pq)) = 1, because for an arbitrary integer a with gcd(a, 
X{pq)) > 1 there exists no Z> G N such that ab = I mod X{pq). Therefore, e^d G ^l(pg)- In 
turn, to any a G '^\[pq) there exists an integer b such that ab = \ mod X{pq), since ^^(^^j is a 
group. But the order of ^^(^^^j is exactly (p{X{pq)). 

It is clear that 1-1 = 1 mod so e = d = I aie always possible as key parameters. 

If e = d = ^{pq) — 1, we have ed = X^{pq) — 2X{pq) + 1 = 1 mod X{pq), so e and d are 
always possible, too. By (47), X{pq) is even and (by pq ^ 6) greater than 2, so Vpq > 2. The 
maximum number of elements on the other hand is A (pq) — 1 . □ 

The plot of all possible RSA key parameters {e,d) reveals general symmetries in the (e, J)- 
plane. First we observe that if P = {e,n), S = {d,n) is a possible RSA key pair, then trivially 
also P' = {d,n), S' = {e,n) is possible, because ed = de = I mod Furthermore, if ed = 
1 mod and < e,d < X{n)/2, then 

e' = X{n)-e, d' = X{n)-d (6) 

satisfy X{n)/2 < e' ,d' < X{n) as well as 

e'd' = )i^{n) — X{n){e + d) + ed = ed mod 

Therefore, P' = {e' ,n) and S' = (d' ,n) are possible RSA keys, too. 

To sum up, all possible RSA key parameters {e,d), plotted in the square lattice [0,X{n) — 
1]^ C with edges ranging from to X{n) — 1, form a pattern which is symmetric to both the 
principal and the secondary square diagonals, see Figure 3. Thus, the region 

U = {{e,d) G [0,X{n)-lf:0<d^mm{e,X{n)-e)} (7) 

contains all information to generate the rest of the square lattice by reflections at the main 
diagonal (d ^ e) and at the secondary diagonal (6). 
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Figure 3: Plots of the possible RSA key parameter pairs {e,d) <E [0,A(«) — 1]^ for different primes p 
and q, represented as points in the (e,(i)-plane. For the first plot, p = 11 and q = 83, for the second one 
p=\9 and q= 131. The shaded region is U as given by (7). 

2.2 Classical RSA attacks 

There are several specific methods to break an RSA cryptosystem. The initial situation for an 
attack is that an eavesdropper knows the public key P = {e,n) and the encrypted message c. 
For details see, e.g., [1] and [2, §7]. 

2.2.1 Factorization of the RSA modulus n 

If the eavesdropper succeeds in finding the factorization n = pq of n, knowing e he can easily 
compute d. But factorization of numbers n = pq with 



p,q> 10' 



,200 



(8) 



(hence n > 10'**'°, i.e., n has length more than about 1320 bits), is difficult with current tech- 
nology, if p and q differ enough, 

' ^ (9) 



\p-q\> 10 



100 



Otherwise n can be factorized efficiently by exhaustive search of two integers and satis- 
fying n = — n^, beginning at = \\/n~\ and ?i_ = 0. These two integers then necessarily 
obey«± = £±2. 

It can be proved that, knowing the public key {e,n), factorizing the RSA modulus n is as 
difficult as finding the secret key {d,n), see [2, §7.2.5]. 

Factorization is the most efficient known attack on RSA. The fastest known factorization 
method, the number field sieve of John Pollard in 1988, yields running times for a 10 GHz 
computer as given in Table 1 . 

2.2.2 Chosen-plaintext attack 

The eavesdropper systematically encrypts all messages m with Bob's public key Pb until he 
achieves the ciphertext c. This attack is efficient if the set of messages m is small or if the 
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jnitude of the number 


bits 


operations 


CPU time 


n « 




167 


1.4- 10'" 


14 seconds 


n ~ 


10^5 


250 


9-1012 


2.5 hours 


n ~ 


IQlOO 


330 


2.3-1015 


26.6 days 


n ~ 


10200 


665 


1.2-10^3 


3.8 mio years 


« ~ 


10300 


1000 


1.5-1029 


4.9 - 1012 years 



Table 1 : CPU times for factorizing of numbers « on a 10 GHz computer. 



message m is short. 



"Pad" each message such that its size is of the magnitude of the 
modulus. Use "probabilistic encryption," where a given plaintext 
is mapped onto several ciphertexts. 



(10) 



2.2.3 Chosen-ciphertext attack 

There is a similar method, the chosen-ciphertext attack, which can be applied if Bob signs a 
document with his private key. The eavesdropper receiving the ciphertext c and wishing to find 
the decryption m = mod n chooses a random integer s and asks Bob to digitally sign the 



innocent-looking message c : 
original message, because m - 



- s^c mod n. From his answer m 
■ m/s mod n. 



it is easy to recover the 



Never sign unknown documents; before signing a document, al- 
ways apply a one-way hash function to it. 



(11) 



2.2.4 Message iteration 

Let be c, € Z„ be iteratively defined as 



Co 



m. 



Ci 



c'j_i mod n 



('• = 1,2, 



In fact, Cj = m"' mod n, and ci = c is the ciphertext. The smallest index k with ct+i = ci is the 
iteration exponent or period of m, cf. definition 3.3: it exactly shows (!) the original message. 



m. 



Such a period k uniquely exists, it is the order of e modulo X{n), k = ord;i^(„)(e), cf. (15). Thus 
it divides A (A («)) and (p{X («)). To avoid an efficient attack by iteration, A (A («)) and the order 
of e with respect to A (n) have to be large. 



A(A(n)), ord^,Je) > 10 



200 



(12) 



This condition is satisfied for so-called "doubly safe primes" p and q: A prime p is doubly safe, 
if both {p — l)/2 and {p — 3) /4 are primes. For instance, 11, 23, 47, 167, 359 are doubly safe 
primes. A doubly safe prime p / 1 1 always has the form 24a — 1, or p = — 1 mod 24. For two 



doubly safe primes p, q, we have X{pq) 



2 and therefore A(A(p<7)) = lcm(2, ^y^. 
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2.2.5 Broadcast decryption by the low-exponent attack 



In general, it may be convenient to use a small public key parameter e such that the encryption 
of a message is easy to compute (for instance for a small chip card). However, suppose Alice 
sends the same message to / different participants whose public keys are Pi = {e,ni) where 
the Hi's are relatively prime to each other and I ^ e; to emphasize, the public keys have the 
same encryption exponent e. If an eavesdropper receives the / ciphertexts c- = m"" mod he 
can easily compute c' = c\ mod «i • • - n/ by the Chinese remainder theorem. But if the product 
«i • • • is great enough, this is the same as d = n/. This equation is invertible, viz., m = \fd ^ 
and the original message is computed. To avoid this attack, each pair of public keys P,- = 
Pj = {ej,nj) and any broadcast message m must satisfy 



2.2.6 Broadcast decryption by the common modulus attack 

If a plain text m is encrypted twice by the RSA system using two public keys Pj = {ei,n), 
i = 1,2, with a common modulus n and gcd(ei,e2) = 1, then m can be recovered efficiently 
from the two ciphertexts ci and ci, each of which given by c, = m"' mod n. This is done by the 
following procedure. 

1. Compute xi, satisfying xiei + X2e2 = 1 by the extended Euclidean algorithm, where 
the indices are chosen such that X2 < 0. 

2. Determine y satisfying 1 = ycj + kn by the extended Euclidean algorithm. 

3. Calculate ci^^y^^^ — this is the plain text! 

The reason is that ci^' j"^^ = ^.^-^i ^^X2 ^ ^^lei+x^e^ ^ „^ ^ (3,493) and 

Pi = (5,493), and the corresponding ciphertexts c\ = 293 and C2 = 421. Then the extended 
Euclidean algorithm yields x\ =2 and X2 = —1, and thus 3^ = 89 and k = —76 (such that 89 
• 421 - 76 • 493 = 1); finally, 293^ • 89' = 67 • 89 = 5963 = 47 mod n, i.e. m = Al is the 
plaintext. In fact, 493 = 17 • 29, and 5i = (17, 29, 75), ^2 = (17, 29, 45), and m = = cf 
= 47 mod 493. 

Therefore, to avoid common modulus attacks, a sender should regard: 



3 The Euler function ray attack 

3.1 The ft)-function and the order of a number modulo n 

Definition 3.1 Let be n G N, n > 1, and Z* the multiplicative group modulo n. Then the order 
ord„ (m) of m G Z* is given by 



ei 7^ Cj or m'^' , m^' > riinj 



(13) 



Never send identical messages to receivers with the same modu- 
lus and relatively prime encryption exponents. 



(14) 



ord„(m) = min{^ G N : k>Q, = \ mod n\. 



(15) 



If gcd {jn,n) > 1, ord„(m) 



= 00 
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Let (m) denote the subgroup of Z* generated by m. E.g., (2) = {1, 2, 4} in Z7, and ord7(2) - 
3. Notethat<p(7) = A(7) = 6. 

Lemma 3.2 Let be m,n £ N, with gcd{m,n) = 1 and m <n. Then 

ord„(m) I (16) 

Moreover, 

[log^ ^ ord„ {m) SX{n) Sn-l. (17) 

Proof. With Carmichael's theorem A.4 and with the Lagrange theorem [3, §33] equation (16) 
is deduced. 

Let a = ord„,(?i). Since m > 1, we have m" > n to obtain m = 1 mod n. This implies 
a > log,„n. The upper limits follow from the relations (55) and (16). □ 

Definition 3.3 Let be m,?i,e G N, « > 1, and define the sequence (cq, ci, C2, . . . ) iteratively by 

co = m, c,=c^_jmod« (/=1,2,...). (18) 

Then the smallest ^ ^ 1 such that Ck = cq is called {n,e)-iteration exponent s{n, e, m) of m. It 
is the period of the cycle (cq, ci, . . . , Ci.(„ g ,„)_i) to which m belongs. A cycle with period one 
is a fixed point. 

Lemma 3.4 Let be e,m,n and the sequence (co,ci,C2, . . .) as in definition 3.3. Let moreover 
be e relatively prime to X{n). Then the (n,e)-iteration exponent s{n,e,m) satisfies 

s{n,e,m)\X{X{n)). (19) 

Proof. Note that for the sequence (18) we have c,- = m"' mod n. For s{n,e,m) we thus have 

m = m mod n. (20) 

By (54) we have = e mod A(«), which implies by definition 3.3 that ord;L(„)(e) = 

s{n,e,m). Relation (16) yields the assertion. □ 

Example 3.5 Let be e = 7, ?i = 55 = 5 • 11. Then we have A(55) = 20, and A(A(55)) = 4. 
Denoting cq = 51, we obtain 

ci =51 mod 55 = 6 
C2 = 6' mod 55 =41 
C3 = 41^ mod 55 = 46 
C4 = 46^ mod 55 = 5 1 = Co 

Hence, the period of the cycle which 51 belongs to is s{n,e,m) = 4. Note by (19) that this is 
the maximum value. Analogously, there are the following cycles. 

9 fixed points (0), (1), (10), (11), (21), (34), (44), (45), (54) 
3 cycles of period 2 (12,23), (22,33), (32,43) 

10 cycles of period 4 ( 2, 18, 17, 8), ( 3, 42, 48, 27) 

(4,49, 14, 9), (5,25,20, 15) 

(6,41,46,51), (7,28,32,13) 

(16,36,31,26), (19,24,29,39) 

(30, 35, 40, 50), (37, 38, 47, 53) 
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Definition 3.6 Let be m,n £Z,n^ 0. Then we define the function 

f ord„(m) if gcd(m,«) = 1, 
CO,n{n) = < (21) 
[0 if gcd(m,«) / 1. 

It is obvious that m'"'"^"^ = 1 mod n for any m,n gZ, n^O (since this is the definition of the 
order function). Substituting n by (0,„{n) immediately yields 

^a>„,{a>,n{n)) = 1 mod W,„ . (22) 

Here "a = b mod 0" has to be understood as a congruence in Z, i.e. as "t? = b." By iteration, 
we obtain the cascading- ft) equation 

where (Om\n) = (0,n{(Om{- ■ ■ {(0,n{n)) ■ ■ ■)) denotes the r-fold composition of (0,n- 

Tiieorem 3.7 Let be d,e,n ^ N, such that n> I, gcd {e,n) = 1, and d-e = 1 mod r/ien 
0(,(G)e(?i)) > 0, and 

^^^ffl.(a).W)-l (24) 

Proof. First we note by (16) that (Oe{n) \ X{n). Therefore, de =\ mod X{n) implies 

d-e = \ mod (Oe{n). (25) 

(If — 1 = kX{n) for a ^ G Z, then — 1 = k'cOe{n), where k' = kX{n) / C0e{n).) If we had 
now C0i,{c0e{n)) = 0, then e would divide (Oe{n) and hence X{n): But then there would be no d 
with de = \ mod X{n). Hence, (Oe{(Oe{n)) > 0. Moreover, by the cascading-ftj equation (22) 
we have 

^£B,(cB,(«))-i ^ 1 mod Wein). (26) 
Equation (24) follows immediately from (25) and (26). □ 
Example 3.8 Let be n = 221 and e = 1 1. Then ftJn (221) = 48, ftJn (48) = 4, hence 

J = 11^ = 35 mod 48. 

Therefore, the possible < 221 are J = 35, 83, 131, 179. In fact, 221 = 13 • 17, and A(221) 
= 48; this means that 11 • 35 = 1 mod A(221), or d = 35. 

The two shoulders on which Theorem 3.7 rests are equations (25) and (26). They can be 
extended to analogues for the following corollary. 

Corollary 3.9 Letbee,n,a,b(^^suchthatn> I and gcd {e,n) = I, aswell as X{n) \ (Oe{a(Oe{n)). 
Then the integer 

d = mod a(Oe{n) (27) 

satisfies de =1 mod a(Oe{n), and for any number m € Z„ we have 

m"'^ = m mod n. (28) 

If the integer a is such that C0e{aC0e{n)) \ X{n), then the unique d < X{n) with de= \ mod A(n) 
is related to d by 

d = d mod a(Oe{n). (29) 
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Proof. Substituting n by acOg, from e'"'"'^"^ = 1 mod n for any m G Z we deduce that g^«'<'(«'o<-(«)) 
= 1 mod a(Oe{n). Especially, with (27) we have 

d.e = = 1 mod a(Oe{n). (30) 

If I we have m''^ '^"'i mod n = "'"^f") mod « = '^(«) mod « 

= m mod n. (Note that X{n) enters the scene in the second last equation to fulfill the equation 
for all ml) In turn, if O)e{aC0e{n)) \ X{n), then de = \ mod X{n) implies de = \ mod a(Oe{n); 
thus (29) follows from (30). □ 

Example 3.10 Let be n = 143 and e = 47. Then C047(143) = 20, and with a = 2, = 3, we 
have 30)47(40) = 12, hence 

J = 47" =23 mod 40. 

Therefore, nf^ = m^^^i = m mod 143. In fact, 143 = 11 • 13, and A (143) = 60; this means 
that 47 -23 = 1 mod A(143), ov d = 23. 

Remark 3.11 Given two relatively prime integers e and n, corollary 3.9 enables us to choose 
an (almost) arbitrary multiple of the order ord„(e) > to find an integer d being a kind of 
"inverse" of e: If the multiple is small enough such that it divides X{n), our result supplies a 
list of values, one of which satisfies ed = \ mod A(«); if the multiple is also a multiple of A(«), 
we can compute d such that de = \ mod aord„(e). In particular-, by (47) and (16) the Euler 
function is a multiple of both X{n) and ord„(e). 

3.2 Properties of composed numbers n=pq 

Let be p, q be two primes, p q. Then n = pq is an integer composed of two primes. Among 
the integers n less than 50 there ai^e 13 ones composed of two primes, n = pq, whereas less 
than 100 there are 30 ones, shown in the following tables. 



n 


6 


10 


14 


15 


21 


22 


26 


33 


34 


35 


38 


39 


46 


51 


55 


<p(n) 
X{n) 


2 
2 


4 
4 


6 
6 


8 
4 


12 
6 


10 
10 


12 
12 


20 
10 


16 
16 


24 
12 


18 
18 


24 
12 


22 
22 


32 
16 


40 
20 




n 


57 


58 


62 


65 


69 


74 


77 


82 


85 


86 


87 


91 


93 


94 


95 


(pin) 
Hn) 


36 
18 


28 
28 


30 
30 


48 
12 


44 

22 


36 
36 


60 
30 


40 
40 


64 
16 


42 
42 


56 
28 


72 
12 


60 
30 


46 
46 


72 
36 



Let us now study the geometric structure of the Euler function. 

Theorem 3.12 Let n = pq be a positive integer, composed of two primes p and q with p < q. 
For any integer p^i^ € N satisfying pmin ^ p we then have 

<PW^(A™n-l)f-^-iy (31) 

The inequality is strict, if p mm < P^<J- 
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Proof. We have (p(n) = {p — I) \^ 1 J , and (p{n) is a function of p: 

n 

g[p) =(p{n) =n-p-- + \. 

Since g'{p) = — \+ n/p^ < 0, for fixed n the function g is strictly decreasing with respect to p, 
as long us p < q, i.e. as > 1. □ 

Geometrically, this result means that in the graph of <p(n) the point («, <j!>(?i)) hes above the 
"Euler function ray" (see Figure 4) 



/.W=(^,(/^-i)0-i)) 



(32) 





Figure 4: Plot of the Euler function <p{pq), with p, q prime; also sketched are the rays fp for p ~2,1>, 
5,7, 11, 13, 17, 19, 23. 



Theorem 3.13 Let be p, q two primes p < q, e an integer with e > \, and n = pq. Moreover 
define for a G N the exponents 5e^„, Ye,a £ N Zjj 



Se,n = max{/ G N : e' ^n} 



Inn 
Ine 



Ye,a = max{/ G N : e' \a}, 



as well as 



r± = ^(^A± a/ A2 - 4nj with A = p + q + 
Then for any integers b, r G N, r_ r p or q r r^, satisfying 

ljgVf{t)\ — \ mod «, where fir) = (r — 1) ( 1 

V r 

the Euler function value <p(«) can be computed by 

<?>(«) = 7.,ft +[/('-) J 



(33) 



(34) 



(35) 



(36) 
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Proof. Note first that real values for r± always exist since the term in the square root is positive, 
> {p + qf, i.e. ^^-An> {q-pf > 0. We see that {p-l){q-l) - (r- l)(n/r- 1) = 
-{r^ —Ar + n). Solving this quadratic equation with respect to r, straightforward calculation 
thus shows that the inequalities for r are equivalent to the inequalities 

^ - l)(g- 1) - (r- 1) (" - l) ^ (37) 

which means that ^ <p(?i) — (r — 1) — l) ^ 5e,n- On the other hand, b being the multiplica- 
tive inverse of e'' by the modular equation in (35), we have b = mod n for some j G N, in 
particular for j = (p{n) — r. But if j < 5e^n^ we have b = e^, and j = 7^ ^. □ 

Example 3.14 Let be p = II, q = 13, and e = 1 . Then 5? 143 = 2, and thus A = 26, r± = 13 
± -v/26. So r shall satisfy 8^r^llorl3^r^l8. For r = 8, e.g., we have 

(r-l)(^"-l) =7-16.875 = 118.125; 

Since 7'^^ = 108 mod 143, we achieve by the extended Euclidean algorithm b = A9 = 1^ 
(because 1 = 49 • 108 - 37 • 143), and with 77,49 = 2 we obtain 

(p(143) = 118 + 77,49 = 120. 

In fact, (p( 143) = 10- 12. □ 

Example 3.15 Let hep = 2, 336 670 033, ^ = 9 876 543 21 1, and e = 2. Then 

« = 32954765761773295963, 

&2^n = 64, and thus 

A = 13213213308, r_ = 3336670000.3, r+ = 9876543307.6. 
For r = 9 876 543 308, e.g., we have 



Since 



32954765748560082656. 



2' = 7542048005965299043 mod n, 
we achieve by the extended Euclidean algorithm 

ft = 18446744073709551616 

and with 72,^, = 64 we obtain 

(p{n) = / + 72,i = 32954765748560082720. 



□ 



The following lemma tells us the grade of "coarse graining," i.e., a step-width that a sys- 
tematic and definite search for an appropriate Euler function ray factor r must use. 
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Lemma 3.16 Let p, q be two primes, p < q, e an integer e > \, and n = pq. Moreover let r+ 
and 8e,n be defined as in theorem 3.13 by equations (33) and (34). Then 

r+ -(]>—■ (38) 

Moreover, 

p-r->^ if 5,,p,<l{3p-q). (39) 
Proof. By - 4pq = {q- p)^ + 2{p + q)5e,pq + 5^p^ we achieve for > 

r+ = i (a + - Apq) = 1 (a + ^(^ - pf + 2(p + + ^Ipc, ) 

11 5 

> -(A + g-;,) = -(2^ + 5,,,,)=^+^. 

Analogously, by (39) we have 2{q -p) + \5e,pq <q + p, i.e. (q - pf + 2{q + + ^Ipq > 

{q-pf+4{q-p)de,pg+45^pq = (q - p + 2de^pqf, i.e. 

r- = i (a - ^(g - p)2 + 2{p + q)5e,p, + dlpg ) 
< ^ (a - ^(^ - p)2 + 4(/7 - + 4dlp,^ ) 

□ 



3.3 The algorithm 

An algorithm to break an RSA cryptosystem is shown below in pseudocode. It is invoked 
with the public key {e,n) and the estimate r for the Euler function ray as input parameters and 
returns a possible private RSA key pai^ameter d con^esponding to e. If it fails, <i ^ is returned. 

long rayAttack ( e, n, r ) { 

// store an array a such that a[i] = m"(2"i) < n: 
a[0] = e; 

3 = 1; 

while ( a[j-l] < n ) { 

a[ j] = a[ j-1] * a[ j-1] ; 

} 

delta = 0; 

while ( e~ (delta +1) <= n ) delta++; 
step = delta / 2; 
d = 0; r = n"(l/2); 
while ( d == && r > ) { 
ord = omega (e, n, r) ; 

if ( ord > ) d = euclid( e, ord ) [0]; 
else r -= step; 

} 

return d; 

} 
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The heart of algorithm rayAttack is the algorithm (o{m,n,r) determining an integer / being a 
multiple of ord„(e) on the basis of corollary 3.9. Both algorithms use the extended Euclidean 
algorithm euclid. In detail: 

/** returns minimum i >= (r - 1) * (n/r - 1) such that m~i = 1 mod n 
* returns if i is not computable, and -1 if the algorithm fails 
*/ 

long omega ( m, n, r ) { 

if ( gcd(m,n) != 1 ) return 0; 
else { 

i = (r - 1) * (n/r - 1 ) ; 
m = m % n; 

// determine b such that b * m"i = 1 mod n: 
b = euclid (n, ( m"i % n ) ) [1] mod n; 

// determine maximum exponent gamma such that m'gamma divides b: 
gamma = ; 

for ( k = a. length - 1; k >= 0; k — ) { 
if ( b >= a[k] ) { 

if ( b % a[k] == ) { 
gamma += 2"k; 
b /= a[k] ; 

} 

else break; // not a power of e 

} 

} 

i += gamma; 

if ( i > && b != 1 ) { 

i = - 1; // algorithm fails! 

} 

return i; 

} 

} 

The classical Euclidean algorithm reads: 

// euclid (m,n) = extended Euclidean algorithm 

// returning xO, xl s.t. gcd(m,n) = xO * m + xl * n: 

long [ ] euclid( long m, long n) { 

x[] = {1,0}; 

u = 0, V = 1; 

mNegative = false, nNegative = false; 

if ( m < ) { m = -m; mNegative = true; } 
if ( n < ) { n = -n; nNegative = true; } 
while ( n > ) { 

// determine q and r such that m = qn + r: 

q = m/ n; r=m%n; 

/ / replace : 

m = n; n = r; 

tmp = u; u = x[0] - q*u; x[0] = tmp; 
tmp = v; V = x[l] - q*v; x[l] = tmp; 

} 

if ( mNegative ) x[0] = -x[0]; 
if ( nNegative ) x[l] = -x[l]; 
return x; 
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3.3.1 Complexity analysis 

First we note that the running time reuciid(wi,«) of EucUd's algorithm for two input integers 
m,n is given by 

TsucM{m,n) =log^[(3-0) •max(m,n)], (40) 

where (p is the golden ratio = (1 + \/5)/2, see [5, §4.5.3, Corollary L (p.360)]. If we con- 
sider, to simplify, the running time as the number of loops to be performed, we therefore we 
achieve for the running time Ta){m,n,r) of the G)-function Ta){m,n,r) = Tpow ('",[/('')] ) + 
TeuciidinM^^''^^ mod n) + ilog^« + ^log„,«, i.e. [2, §2.12] 

ra,(m,n,r) =log2L/(r)J •(log2n)2+logJ(3-0)«]+log,„«. (41) 



Since the complexity T^ayie,pg,r) of the ray Attack algorithm (with n = pq) then is given by 

r — p 

T,^y{e,pq,r) = T(o{e,pq,r) +TeucM{e,(o{e,pq,r)), 

log, pq 

and since by (o{e,pq,r) < « we have TsucM{e,(o{e,pq,r)) < Tsudidie, pq), we obtain 



T,^y{e,pq,r) < ( / ^ + l) log J{3 - ^) pq] 

+ {r-p) (i + ^^2mr)\-{\og,pqY 



log, pq 

0{{r-p)lnr-lne-lnpq). (42) 



(Note that /(r) = 0{r).) 



4 Discussion 

In this article a new ansatz to attack RSA cryptosystems is described, basing on geometric 
properties of the Euler functions, the Euler function rays. However, a resulting algorithm 
turns out to be inefficient. It essentially consists of a loop with starting value determined 
by the Euler function ray and with step width given by a function (Oe{n) being a multiple of 
the order ord„(e), where e denotes the public key exponent and n the RSA modulus. For 
n = pq and an estimate r < y^p^ for the smaller prime factor p, the running time is given by 
T{e,n,r) = 0{{r — p)lnelnnlnr) . 

In other words, this attack is queuing up into a long series of failed attacks on RSA. So, 
what is gained in the end? First, we achieved a small mathematical novelty, the Euler function 
rays, i.e. geometrical properties of the Euler function. To my knowledge they have never been 
mentioned before. Second, the a)-function has been introduced, being closely related to the 
order of a number but being more appropriate for practical purposes. Finally, this trial as 
another failure in fact is good news. It seems that e-commerce basing on RSA can go on. 



A Appendix 

A.l Euler's Theorem 

If n is a prime, the set of all numbers (more exactly: of all residue classes) modulo « is a field 
with respect to addition and multiplication, as is well known. However, if n is a composite 
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integer, the ring of all numbers modulo n is not a field, because the cancellation of a number 
(more exactly: a congruence) modulo n by any divisor d of n also requires the corresponding 
cancellation of n, and thus carries us from the ring modulo n to another ring, namely modulo 
n/d. In this case, d is said to be a zero divisor of the ring, since d\n and n = n/d = mod n/d. 
For instance, for n = 9 the congruence 

15 = 6 mod 9 



is cancelled by d = 3 thi^ough 

^ = ^ mod — , ^, ^, , or 5 = 2mod3. 
d d gcd(J,9)' 

However, if we avoid the zero divisors of n and consider only the those numbers (more exactly: 
primitive residue classes) a mod n with gcd(fl;,?i) = 1, then all divisions by these elements can 
be uniquely performed. For example, by gcd(5, 12) = 1 

5x = 10 mod 12 <^=^ x = 2 mod 12. 



These numbers actually constitute a multiplicative group of order (p{n): 

Definition A.l For n G N, « > \,Euler's (p-function or totient function assigns to n the number 
(p{n) of positive integers k <n relatively prime to n, i.e. 

<p(n)=#Z*, where Z*, = {k eN : k < n and gcd{k,n) = \}. (43) 

Z* is the multiplicative group modulo n. For instance, the set of numbers less than 12 and 
relatively prime to 12 ai^e {1, 5, 7, 11}, and thus (p(12) = 4. An explicit formula denotes 



(p(n)=p'^'-'...p<:^^-'.ip,-l)...ip,--l)=n-ll(l--\ 

p\n ^ P^ 



-I).. 


■{Pr- 











(44) 



1 

'-3 



Tlieorem A.2 (Euler's Tlieorem) If gcd {m,n) = 1, then 

ml''-"'' = 1 mod n. (45) 

For a proof see, e.g., [7, §4.1]. 



A.2 The Carmichael function and Carmichael's Theorem 

Euler's Theorem can be strengthened. As we will see, this will yield an efficient determination 
of key pairs of a RSA public key cryptosystem, much more efficient than the originally (and 
yet nowadays in many textbooks) proposed procedure based on Euler's Theorem. 
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Definition A.3 For « G N let « = flLi P"' be its prime factorisation. Then the Carmichael^ 
function X is given by X{n) = 1cm [X{pf')]i, where for each / = 1, . . . ,r, 

..a,. / 2«'-2 if;7,=2anda,-^3, 

^^^'^^ = 1 /^r^A-l) otherwise. ^'^^ 

For n > 2, X{n) is even (since pj — 1 as an even integer divides for « = 2, we have 

simply A(2) = (p(2) = 1. Moreover, since X{n) is the least common multiple of factors of (p{n), 
it divides the Euler totient function: 

2 1 I <p(?i) for«>2. (47) 

Theorem A.4 (Carmicliael's Tiieorem) Ifm,n G N and gcd {m,n) = 1, ^/jen 

= 1 mod n. (48) 

Moreover, A («) /i' smallest exponent with this property. 

Using Carmichael's Theorem, we have a way of explicitly writing down the quotient of two 
residue classes a/b mod n. The formula is 

=ab-^ =ab^^"^-^ mod n, if gcd(Z7,«) = 1, (49) 

b 

i.e. b-^ =Z7^(«)-i mod n. 

Example A.5 For n = 65 520 = 2"^ • 3^ • 5 • 7 • 13, Euler's function assumes the value (p{n) = 
8 • 6 • 4 • 6 • 12 = 13 824, while A (n) = lcm(4, 6, 4, 6, 12) = 12. For all m with gcd {m,n) = 1 
we thus have 

= 1 mod 65520. 

For each m with gcd {b,n) = 1 we have ivT^ = m^^ mod 65520. For instance, 

JL = ii" =47651 mod 65520. 
Tiieorem A. 6 Ifn&Nisa product of distinct primes, i.e. n = Y[iPi> then 

For a proof see, e.g., [8, §A2]. 

If the multiplicative group Z* = {m:l ^ wi,gcd (m,?i) = 1} decomposes into the subgroups 

Gi, 

Z: = Gi xG2X...xG^, (51) 
and if di is the order of the group G,, then each element m G Z* can be written in the form 

m = g\'g2'---gf v^ith I SetSdi. (52) 
^Robert D. Carmichael (1879 - 1967), U.S. mathematician 
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Furthermore, for each /, 

gf = 1 mod n, with di\X{n). (53) 

For instance, Z15 = {1,2,4,7,8,11,13,14}. We see that (p(15) = 8 = #^15. All possible 
subgroups Gi of Z15 are the following ones. 

Gi={l}, G2 = {1,4}, G3 = {1,11}, G4 = {1,14}, 

G5 = {1, 2,4,8}, G6 = {1, 4,7,13}. 
Hence d\ = \, d2 = d-i = = 2, and ds =d(, = 4. They all divide A (15) = 4. 

Corollary A. 7 Let be e,rn,n (^N, n> \, and either n a product of distinct primes, or gcd {m,n) = 
1. Then for alleGN 

m^ = m^"^°^^W modn. (54) 

Lemma A.8 For « e N, 

l{n)Sn-l. (55) 

Proof. Because X{p) < p for every prime, A(«) < n as the least common multiple of the 
Carmichael function values of the prime factors of n. □ 
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